Information leakage can be likened to leaky pipes.Whenever something comesout, it is almost always undesirable and results in some sort of damage.Information leakage is typically an abused resource that precludes attack. In thesame way that military generals rely on information from reconnaissance troopsthat have penetrated enemy lines to observe the type of weapons, manpower, supplies,and other resources possessed by the enemy, attackers enter the network toperform the same tasks, gathering information about programs, operating systems,and network design on the target network.Service Information LeakageInformation leakage occurs in many forms. Banners are one example. Banners arethe text presented to a user when they attempt to log into a system via any oneof the many services. Banners can be found on such services as File TransferProtocol (FTP), secure shell (SSH), telnet, Simple Mail Transfer Protocol (SMTP),and Post Office Protocol 3 (POP3). Many software packages for these serviceshappily yield version information to outside users in their default configuration.Another similar problem is error messages. Services such as Web servers yieldmore than ample information about themselves when an exception condition iscreated. An exception condition is defined by a circumstance out of the ordinary,such as a request for a page that does not exist, or a command that is not recognized.In these situations, it is best to make use of the customizable error configurationssupplied, or create a workaround configuration. Observe Figure 2.4 for aleaky error message from Apache.Protocol Information LeakageIn addition to the previously mentioned cases of information leakage, there is alsowhat is termed protocol analysis. Protocol analysis exists in numerous forms. Onetype of analysis is using the constraints of a protocol’s design against a system toyield information about a system. Observe this FTP system type query:elliptic@ellipse:~$ telnet parabola.cipherpunks.com 21Trying 192.168.1.2...Connected to parabola.cipherpunks.com.Escape character is '^]'.220 parabola FTP server (Version: 9.2.1-4) ready.SYST215 UNIX Type: L8 Version: SUNOSwww.syngress.comFigure 2.4 An HTTP Server Revealing Version Information40 Chapter 2 • Classes of AttackThis problem also manifests itself in such services as HTTP. Observe theleakage of information through the HTTP HEAD command:elliptic@ellipse:~$ telnet www.cipherpunks.com 80Trying 192.168.1.2...Connected to www.cipherpunks.com.Escape character is '^]'.HEAD / HTTP/1.0HTTP/1.1 200 OKDate: Wed, 05 Dec 2001 11:25:13 GMTServer: Apache/1.3.22 (Unix)Last-Modified: Wed, 28 Nov 2001 22:03:44 GMTETag: "30438-44f-3c055f40"Accept-Ranges: bytesContent-Length: 1103Connection: closeContent-Type: text/htmlConnection closed by foreign host.Attackers also perform protocol analysis through a number of other methods.One such method is the analysis of responses to IP packets, an attack based onthe previously mentioned concept, but working on a lower level. Automatedtools, such as the Network Mapper, or Nmap, provide an easy-to-use utilitydesigned to gather information about a target system, including publicly reachableports on the system, and the operating system of the target. Observe theoutput from an Nmap scan:elliptic@ellipse:~$ nmap -sS -O parabola.cipherpunks.comStarting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )Interesting ports on parabola.cipherpunks.com (192.168.1.2):(The 1533 ports scanned but not shown below are in state: closed)Port State Service21/tcp open ftp22/tcp open ssh25/tcp open smtp53/tcp open domain80/tcp open httpRemote operating system guess: Solaris 2.6 - 2.7Uptime 5.873 days (since Thu Nov 29 08:03:04 2001)Nmap run completed -- 1 IP address (1 host up) scanned in 67 secondsFirst, let’s explain the flags (also known as options) used to scan parabola.The sSflag uses a SYN scan, exercising half-open connections to determine which portsare open on the host.The O flag tells Nmap to identify the operating system, ifpossible, based on known responses stored in a database.As you can see, Nmap wasable to identify all open ports on the system, and accurately guess the operatingsystem of parabola (which is actually a Solaris 7 system running on a Sparc).All of these types of problems present information leakage, which could leadto an attacker gaining more than ample information about your network tolaunch a strategic attack.Leaky by DesignThis overall problem is not specific to system identification. Some programs happilyand willingly yield sensitive information about network design. Protocolssuch as Simple Network Management Protocol (SNMP) use clear text communicationto interact with other systems.To make matters worse, many SNMPimplementations yield information about network design with minimal or easilyguessed authentication requirements, ala community strings.Sadly, SNMP is still commonly used. Systems such as Cisco routers arecapable of SNMP. Some operating systems, such as Solaris, install and start SNMPfacilities by default. Aside from the other various vulnerabilities found in theseprograms, their default use is plain bad practice.Leaky Web ServersWe previously mentioned some Web servers telling intrusive users about themselvesin some scenarios.This is further complicated when things such as PHP,Common Gateway Interface (CGI), and powerful search engines are used. Likeany other tool, these tools can be used in a constructive and creative way, or theycan be used to harm.Things such as PHP, CGI, and search engines can be used to create interactiveWeb experiences, facilitate commerce, and create customizable environments forusers.These infrastructures can also be used for malicious deeds if poorlydesigned. A quick view of the Attack Registry and Intelligence Service (ARIS)shows the number three type of attack as the “Generic Directory TraversalAttack” (preceded only by the ISAPI and cmd.exe attacks, which, as of the timeof current writing, are big with the Code Red and Nimda variants).This is, ofcourse, the dot-dot (..) attack, or the relative path attack (…) exercised byincluding dots within the URL to see if one can escape a directory and attain alisting, or execute programs on the Web server.Scripts that permit the traversal of directories not only allow one to escapethe current directory and view a listing of files on the system, but they allow anattacker to read any file readable by the HTTP server processes ownership andgroup membership.This could allow a user to gain access to the passwd file in/etc or other nonprivileged files on UNIX systems, or on other implementations,such as Microsoft Windows OSs, which could lead to the reading of (and, potentially,writing to) privileged files.Any of the data from this type of attack couldbe used to launch a more organized, strategic attack.Web scripts and applicationsshould be the topic of diligent review prior to deployment.A Hypothetical ScenarioOther programs, such as Sendmail, will in many default implementations yieldinformation about users on the system.To make matters worse, these programsuse the user database as a directory for e-mail addresses. Although some folks mayscoff at the idea of this being information leakage, take the following exampleinto account.A small town has two Internet service providers (ISPs). ISP A is a newer ISP,and has experienced a significant growth in customer base. ISP B is the older ISPin town, with the larger percentage of customers. ISP B is fighting an all-out warwith ISP A, obviously because ISP A is cutting into their market, and starting to gain ground on ISP B. ISP A, however, has smarter administrators that have takenadvantage of various facilities to keep users from gaining access to sensitive information,using tricks such as hosting mail on a separate server, using different loginson the shell server to prevent users from gaining access to the database of mailaddresses. ISP B, however, did not take such precautions. One day, the staff of ISPA gets a bright idea, and obtains an account with ISP B.This account gives them ashell on ISP B’s mail server, from which the passwd file is promptly snatched, andall of its users mailed about a great new deal at ISP A offering them no setup feeto change providers, and a significant discount under ISP B’s current charges.As you can see, the leakage of this type of information can not only impactthe security of systems, it can possibly bankrupt a business. Suppose that a companygained access to the information systems of their competitor.What is tostop them from stealing, lying, cheating, and doing everything they can to underminetheir competition? The days of Internet innocence are over, if they wereever present at all.Why Be Concerned with Information Leakage?Some groups are not concerned with information leakage.Their reasons for thisare varied, including reasons such as the leakage of information can never bestopped, or that not yielding certain types of information from servers will breakcompliance with clients.This also includes the fingerprinting of systems, performedby matching a set of known responses by a system type to a table identifyingthe operating system of the host.Any intelligently designed operating system will at least give the option ofeither preventing fingerprinting, or creating a fingerprint difficult to identifywithout significant overhaul. Some go so far as to even allow the option ofsending bogus fingerprints to overly intrusive hosts.The reasons for this are clear.Referring back to our previous scenario about military reconnaissance, any groupthat knows they are going to be attacked are going to make their best effort toconceal as much information about themselves as possible, in order to gain theadvantage of secrecy and surprise.This could mean moving, camouflaging, orhiding troops, hiding physical resources, encrypting communications, and soforth.This limiting of information leakage leaves the enemy to draw their ownconclusions with little information, thus increasing the margin of error.Just like an army risking attack by a formidable enemy, you must do your bestto conceal your network resources from information leakage and intelligence gathering.Any valid information the attacker gains about one’s position and perimetergives the attacker intelligence from which they may draw conclusions and fabricatea strategy. Sealing the leakage of information forces the attacker to take more intrusivesteps to gain information, increasing the probability of detection.